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Abstract. The field of implicit complexity has recently produced sev- 
eral bounded-complexity programming languages. This kind of language 
allows to implement exactly the functions belonging to a certain com- 
plexity class. We here present a realizability semantics for a higher-order 
functional language based on a fragment of linear logic called LAL 
which characterizes the complexity class PTIME. This language fea- 
tures recursive types and higher-order store. Our realizability is based 
on biorthogonality, step-indexing and is moreover quantitative. This last 
feature enables us not only to derive a semantical proof of termination, 
but also to give bounds on the number of computational steps needed 
by typed programs to terminate. 



1 Introduction 

Implicit computational complexity — This research held aims at 
providing machine-independent characterizations of complexity classes (such as 
polynomial time or logspace functions). One approach is to use type systems 
based on linear logic to control the complexity of higher-order functional pro- 
grams. In particular, the so-called light logics (e.g. LLL 7 , SLL [115]) have led to 
various type systems for the A-calculus guaranteeing that a well-typed term has a 
bounded complexity [3]. These logics introduce the modalities '!' (read bang) and 
'§' (read paragraph). By a fine control of the nesting of these modalities, which 
is called the depth, the duplication of data can be made explicit and the com- 
plexity of programs can be tamed. This framework has been recently extended 
to a higher-order process calculus [5] and a functional language with recursive 
definitions [T5]- Also, Amadio and Madet have proposed 15. a multi-threaded 
A-calculus with higher-order store that enjoys an elementary time termination. 



Quantitative realizability — Starting from Kleene, the concept of real- 
izability has been introduced in different forms and has been shown very useful to 
build models of computational systems. In a series of works [13112) . Dal Lago and 
Hofmann have shown how to extend Kleene realizability with quantitative infor- 
mations in order to interpret subsystems of linear logic with restricted complex- 
ity. The idea behind Dal Lago and Hofmann's work is to consider bounded-time 
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programs as realizers, where bounds are represented by elements of a resource 
monoid. In [5] the first author has shown how this quantitative extension fits 
well in a biorthogonality based framework (namely Krivine's classical realizabil- 
ity [5]) and how it relates to the notion of forcing. 

Step-indexing — In order to give a semantical account of features like 
recursive or reference types, one has to face troublesome circularity issues. To 
solve this problem, Appel and McAllcster [2] have proposed step-indexed mod- 
els. The idea is to define the interpretation of a type as a predicate on terms 
indexed by numbers. Informally, a term t belongs to the interpretation of a type 
t with the index k £ N if when t is executed for k steps, it satisfies the predicate 
associated to r. Then, it is possible to define by induction on the index k the 
interpretation of recursive or reference types. Step-indexing has been related to 
G6del-L6b logic and the later operator > [17] , 

Contributions — In this paper, we present a typed A-calculus called 
^lal^ wnose functional core is based on the light logic L AL [3] . We extend it with 
recursive types and higher-order store. Even in presence of these features, every 
program typable in A^al^ terminates in polynomial time. To prove termination 
in bounded-time, we propose a new quantitative realizability semantics with the 
following features: 

— It is biorthogonality based, which permits a simple presentation and allows 
the possibility to interpret control operators (though it is only discussed 
informally in the conclusion of this paper) . 

— It is indexed, which permits to interpret higher-order store and recursive 
types. The particularity is that our model is indexed by depths (the nesting 
of modalities) instead of computational steps (like in step- indexing) . 

To our knowledge, this is the first semantics presenting at the same time quan- 
titative, indexed and biorthogonality features. 

Outline — Section [2] introduces the language A^al^ an d its type system. 
In Section [3l we introduce the indexed quantitative realizability. It is then used 
to obtain a semantic model for AjJ^ 1 , which in turn implies termination in 
polynomial time of typed programs. Finally, we mention related works in Section 
[Hand in Section [5] we discuss future research directions and conclude. 

2 The language 

This section presents the language Alal^ an d its type system. Before going into 
details, we give some intuitions on the modalities bang and paragraph and ex- 
plain how we deal with side-effects with the notion of region. 

On bang and paragraph — The functional core of the language is an 
affine A-calculus which means that functions use their argument at most once. 
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Modal constructors '!' and '§' originating from LAL are added to the language. 
Intuitively, from a value V which can be used at most once, we can construct 
a value W which can be duplicated with a special modal binder. Values which 
have been duplicated are of the shape %V and therefore cannot be duplicated 
anymore. We will see more precisely with the type system how we can be poly- 
nomial with these modal operators. 

On regions — Following a standard practice in effect systems [14], the 
global store is abstracted into a finite set of regions where each region repre- 
sents one or several dynamic memory locations. Then, side-effects are produced 
by read and write operators on constant region names. As noted by Amadio 
[I] , the abstract language with regions simulates the concrete language with dy- 
namic memory locations as long as the values assigned to regions do not erase 
the previous ones. In particular, termination in polynomial time of the language 
with regions should entail termination in polynomial time of the language with 
references. There are two reasons for working with regions instead of memory lo- 
cations. First, they allow to deal with several kinds of side-effects. Our language 
is sequential hence regions naturally represent higher-order references a la ML, 
but in the context of concurrent programming they could represent communi- 
cation channels or even signals in the context of reactive programming. Second, 
we find it easier to give a semantic model of a type system with regions instead 
of dynamic addresses. 

2.1 Syntax and operational semantics 

The syntax of the language is the following: 

Values V ::= x Xx.M | r | () | n \ \V | §V 
Terms M ::= V \ M X M 2 \ Vi * V 2 \ \M | §M 

let \x = V in M | let §x = V in M 

get(r) | set(r, V) 

We suppose having a countable set of variables denoted x, y, . . . and of regions 
denoted by the letters r, r' , . . .. The terminal value unit is denoted by (). Inte- 
gers are denoted by n and V\ * V2 stands for any arithmetical operation. Modal 
terms and modal values are built with the unary constructors ! and § and are 
destructed by the respective let ! and let § binders. The terms get(r) and set(r, V) 
are respectively used to read a value from a region r and to assign a value V 
to a region r. As usual we write the sequential composition M; N for (Xx.N)M 
where x does not occur free in TV. We denote by M[N/x] the term M in which 
each free occurrence of x has been substituted by N. 

The operational semantics of the language is presented in the form of an abstract 
machine. We first define the configurations of the abstract machine: 

Environments E ::= o | V ■ E \ M E \ ! • E \ § • E 
Stores S ::= r <= V | Si W S 2 

Configurations C::=(M,E,S) 
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Programs are intended to be executed with a right-to-left call-by-value strategy. 
Hence, an environment E is either an empty frame o, a stack of frames to evaluate 
on the left of a value (V ■ E), on the right of a term (M E) or in-depth of 
a term (! ■ E and § • E). Finally, a store S is a multiset of region assignments 
r <= V. A configuration of the abstract machine is executed according to the 
following rules: 

(nT *tT5,E 7 S) -> (m *n2, 5) 
(Ax.M, V ■ E, S) -> (M[V/a;],£;,S> 
(MAT, £, 5) -> (AT, M £, 5) 
(V, M Q E, S) (M, V ■ E, S) 

(fM, £, 5) -> (M, | • -E, 5) if M is not a value 

<v,t-^,s> -> (tv,s,s> 

(let tar = t^inM,£;,5)->'(M[V7ar],£;,S') 
(get(r),£,r^FwS) -»■ (V,f?,S) 

(set(r, V), E,S) -> (Q,E,r <=V W S) 

For the sake of conciseness we wrote f for f G {!, §}. Observe that the let f-binders 
destruct modal values fV and propagate V. Therefore, a value \ n V should be 
duplicable at least n times. Reading a region amounts to consume the value 
from the store and writing to a region amounts to add the value to the store. We 
consider programs up to a-renaming and in the sequel — > denotes the reflexive 
and transitive closure of — >. 

Example 1. Here is a function F = As. let \y = x in set(ri, §y); set(r2, §y) that 
duplicates its argument and assign it to regions ri and r 2 . It can be used to 
duplicate a value from another region r 3 as follows: 

(Fget(r 3 ),o,r 3 <= W) A <(),o,n <= W W r 2 ^ §F) 

Therefore the value §F stored in n and r 2 is no longer duplicable. 

Definition 1. We define the notation (M,E,S) JJ." as the following statement: 

— The evaluation of (M, E, S) in the abstract machine terminates. 

— The number of steps needed by (M, E, S) to terminate is n. 

2.2 Type system 

The light logic LAL relies on a stratification principle which is at the basis of 
our type system. We first give an informal explanation of this principle. 

On stratification — Each occurrence of a program can be given a depth 
which is the number of nested modal constructors that it appears under. Here is 
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an example for the program P where each occurrence is labeled with its depth: 
P = (Aa;.let \y = x in set(r, §2/))!V; get(r) 

- V 1 

____ set(r) §° y 1 

\et\y° " 

x° 

The depth d(M) of a term M is the maximum depth of its occurrences. The 
stratification principle is that the depth of every occurrence is preserved by 
reduction. On the functional side, it can be ensured by these two constraints: (1) 
if a A-abstraction occurs at depth d, then it binds at depth d; (2) if a let f occurs 
at depth d, then it binds at depth d + 1. These two constraints are respected by 
the program P and we observe in the following reduction 

(P,o,0) A (set(r,§V),o,0) 

that the depth of V is preserved. In order to preserve the depth of occurrences 
that go through the store, this third constraint is needed: (3) for each region r, 
get(r) and set(r) must occur at a fixed depth d r . We observe that this is the case 
of program P where d r — 0. Consequently, the reduction terminates as follows 

(set(r,§ni-o.0> A (§V,o,0) 

where the depth of V is still preserved. Stratification on the functional side has 
been deeply studied by Terui with the Light Afhne A-calculus [20] and extended 
to regions by Amadio and the second author [IS] . 

We now present the type system for X^al 1 * na ^ formalizes stratification and 
should ensure polynomial soundness. 

Types and contexts — The syntax of types and contexts is the following: 

Types A, B ::= a \ Unit N | A -o B \ \A \ §A | [iX.A \ Reg r ^ 

Variable contexts F, A ::= x\ : (iti, Ai), . . . , x n : («„, A n ) 
Region contexts R ::= r± : (Si, A±), . . . , r n : (S n ,A n ) 

We have a countable set of type variables X,X', . . . Then, we distinguish the 
terminal type Unit, the type of integers N, the affine functional type A — o B, the 
type \A of values that can be duplicated, the type §A of values that may have 
been duplicated, recursive types fiX.A and the type Reg r ^4 of regions r con- 
taining values of type A. Hereby types may depend on regions. Following [15], 
a region context associates a natural number Si to each region n of a finite set 
of regions {n, . . . , r„} that we write dom(R). Writing r : (S, A) means that the 
region r contains values of type A and that gets and sets on r may only happen 
at a fixed depth depending on S. A variable context associates each variable 




VI 



with an usage u £ {A, §, !} which constraints the variable to be bound by a A- 
abstraction, a let §-binder or a let 1-binder respectively. In the sequel we write P u 
for x\ : (u, Ai), . . . , x n : (u,A n ). Writing x : (u, A) means that the variable x 
ranges on values of type A and can be bound according to u. 

Types depend on region names. As we shall see, this allows for a straightforward 
interpretation of the type Re.g r A. Moreover, it induces a typed translation from 
a language with dynamic locations to a language with regions. For example, for 
every occurrence P of dynamic allocation like let x = ref M in N in an ML pro- 
gram where M is of type A, it suffices to introduce a distinct region name r and 
associate the variable x with type Reg r A. Then, the type preserving translation 
of P is simply set(r, M); N[r/x\. However, we have to be careful in stating when 
a type A is well-formed with respect to a region context R, written R h A. Infor- 
mally, the judgment n : (5i,Ax), , . . , r n : (S n ,A n ) h B is well formed provided 
that: (1) all the region names occurring in the types Ax,... ,A n ,B belong to 
the set {ri, . . . , r„}, (2) all types of the shape Reg r B with i e {1, . . . , n} and 
occurring in the types A\,..., A n , B are such that B = Ai. The judgment fihf 
is well-formed if R h A is well-formed for every x : (u, A) 6 r. We invite the 
reader to check in pQ that these judgements can be easily defined. 

Typing rules — A typing judgment takes the form R; T \- s P : A and is 
indexed by an integer S. The rules are given in Figure [TJ They should entail the 
following: 

— if x : (A, A) E r then x occurs at most once at depth in P, 

— if x : (§, A) e r then x occurs at most once at depth 1 in a subterm §M of 
P, 

— if x : (!, A) e r then x occurs arbitrarily many times at depth 1 in a subterm 
§M or \M of P, 

— if r : (6', A) £ R then get(r) and set(r) occur at depth 6 — 6' in P. 
Several remarks have to be made: 

— In binary rules, we implicitly require that contexts P and A are disjoints. 
They are explicit rules for the weakening and contraction of variables and 
we may only contract variables with usage !. Therefore, let !s are the only 
operators that can bind several occurrences of a variable. 

— There are two restrictions to apply the rule !-prom: first, V may contain at 
most one occurrence of a free variable; second, V is a value (we cannot type 
!M). The first constraint ensures that the size of a program does not explode 
exponentially and is well studied in [20] . The second condition is due to side- 
effects. To see this, assume that we can type \M. Then we can derive the 
judgment r : (0, A); — Ax. let \y — x in §set(r, x); !get(r) : §A — o \A. Both 
get(r) and set(r) occur at depth 1 but under different modalities. Clearly 
the type %A —° IA which cannot be derived in LAL has to be rejected for 
otherwise we can freely re-duplicate a value §V. 
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int- 



R h 



R;—\- s n:N 

R± 

R;x : (X,A) h 4 x : A 



arith ■ 



R; r h s Vr : N R;A\- S V 2 :N 
R; r, A \- s Vi * V 2 : N 



R\- 



R;-\- A () : Unit 



R h r : (5, A) € R 
R; - h 4 r : Reg r ^ 



i?; r, z : (!, ,4) h 4 M[«/x, z/y] : B 



R;Th s M : B R\- T,x : (u,A) 
R;T,x: {u, A)h s M : B 



lam- 



app- 



R; r, x : (A, A) h 4 M : B 
R : r\- s Xx.M :A^B 

R;x : (A, A) h a V : A 



R: r h Mi : A 



B 



R;A\- 6 Mi: A 



!-prom- 



f-elim- 



set- 



-prom- 



R;x : (!, A) h s+1 W : \A 

R; r h 4 V : \A 
R;A,x: (f, A) h 4 M : B 

R; F, A P 5 let \x = V \n M : B 



R;r,A\- 6 M1M2 : B 
R;T X ,A X h 4 M : A 

i?; - h 4 r : Re Sr A 



get 



R; - h 4 get(r) : A 



R; - h 4 r : Reg r A 
h 4 V : A 



R-,r\- d set(r, V) : Unit 



un/fold- 



R-,r\- M: fiX.A 
R-r\- s M : A[fxX.A/X] 



Fig. 1. Typing rules 



— The depth (5 of a judgment is incremented when we construct a modal term. 
This allows to count the number of nested modalities and to stratify regions 
by requiring that the depth of a region matches the depth of the judgment 
in the rule R. 

— For space consideration the rule un/fold can be used upside down. 

Definition 2. We say that a program M is well-typed if a judgment R; r \- s 
M : A can be derived for some R, r and 6 such that: 

— Ifr: {5 r , A) e R then A = §B. 

— For every type fixpoint [iX.A that appears in R and r, the occurrences of X 
in A are guarded by (occur under) a modality f. 

— Every depth index in the derivation is positive. Note that if this is not the 
case, we can always find 5' > 5 such that this is true for R; r h 5 M : A. 

These three conditions will be needed to give a well-founded interpretation. 

Example 2. The operational semantics of references (values are copied from the 
store) can be simulated as long as values stored in regions are of the shape IV. 
For example, consider the following well-typed program 



r : (0, N); - h 1 let \x = get(r) in set(r, !x); §(x * x) : N 
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that reduces as follows: 

(let !x = get(r) in set(r, !x); §(x * x), o, r <= In) (§(n * n),o, r •<= !n) 

Indeed, the region r can be considered a reference since the value !n has not 
been erased from the store. 

The following progress property can be derived as long the program do not try 
to read an empty region. 

Proposition 1 (Progress). If R;T \- s M : A then (C,o,0) A (V,0,S) and 
and every assigned value in S can be typed. 

The goal of the next section is to prove the following theorem 

Theorem 1 (Polynomial termination) . There exists a family of polynomi- 
als {Pd}deN such that if M is well-typed then (M, O, o) terminates in at most 
Pd(M)(size(M)) steps. 

3 "Indexed" quantitative realizability 

We now present a biorthogonality-based interpretation of A^al^- Apart from the 
use of biorthogonality, this interpretation has two particularities: 

— First, the realizability model is quantitative. A type is interpreted by a set 
of weighted realizers (that is a program together with a store and a quantity 
bounding its normalization time). This allows to prove complexity properties 
of programs. 

— Secondly, the semantics is indexed (or stratified) , meaning that we interpret 
a type by a family of sets indexed by N. Moreover the interpretation of a 
type is defined by double induction, first on the index n, and secondly on 
the size of the type. This allows to interpret recursive types and references. 

It is worth noticing that while our interpretation is similar to the so-called " step- 
indexed" models, the meaning of indexes is not (directly) related to the number 
of computation steps but to the depth of terms (and so our model could be 
described as a " depth- indexed" model). It is the quantitative part which is used 
to keep track of the number of computational steps. 

3.1 The light monoid 

The realizability model is parametrized by a monoid, whose elements represent 
an information about the amount of time needed by a program to terminate. To 
interpret Ajjfff, we use the light monoid, which is a simplification of a resource 
monoid introduced in [T2] . 

Definition 3. The light monoid is defined as the structure (M., +, ||.||, !, §) where 
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— A4 is the set of triples (n, m, f) such that n, m G N and f : N — > N is 
increasing. 

— If (n, m, f),(l,k,g) G .M , (n, m, f) + (l,k, g) = (n + l, max(m, k),max(f, g)). 

— If (n,m,f) G M, ||(n,m,/)|| = n/(m + n). 

— If (n,m,f) G X, §(n,m,/) = (n/m,m,x^ x 2 f(x 2 )). 

— Finally, for any (n, to, /) G !(n, to, /) = (1, n + m, a; i— > x 3 /(a; 3 )). 

We moreover denote by n the element of M. defined as (n,0,x t— > 0). 

From now on, we use lower-case consonnes letters p, q, to, v, . . . to denote ele- 
ments of M. To give some intuitions on these operations, let's say that + rep- 
resents the resource consumption resulting of the interaction of two programs, 
and that ||p|| calculates the concrete bound (a natural number) associated to an 
abstract bound p e M. 

Remark 1. The structure (M., +, 0, ||.||) is a quantitative monoid in the sense of 
[5 . In particular, it satisfies the following inequality: 

Vp,g,|b|| + [|«|| < lb + ?ll 

This inequality informally represents the fact that the amount of resource con- 
sumed by the interaction of two programs is more than the total amount of 
resource used by the two programs alone. 

Definition 4. Given p,q £ M, we say that p < q iffVr G M, \\p + r\\ < \\q + r\\ 
andp < q ifJMr G M, \\p + r\\ < \\q + r|| 

Property 1. The relation < enjoy the following properties: 

— If p < q, then p + r < q + r. 

— Ifp< g ,then < ||g||. 

— If p < p' and q < q' , then p + q < q + q' . 

Property 2. The operations ! and § on the monoid M. satisfy the following prop- 
erties: 

— §p <\p 

— §0 + 9) < §P+ §9 

— §P+§<7< §(p + <z) + 2 

— \p+ Ip =\p + 1 

A third operation F will be used to interpret functoriality of !: 

Property 3. Let p — (n, to, /) and q two elements of M.. We define F(p) to be 
(1 + n + to, ra,i4 x 3 f(x 3 )). We then have \(p + q) < F(p)+\q. 

Finally we define a notion of A4-context, which is similar to an evaluation con- 
text, but for resource bounds instead of programs. 

Definition 5. A .M-context is any function f : M. A4 obtained by composi- 
tion of the functions Xx.x +p (where p is any element of M. ), \x.\x and Aa;.§a;. 
The set of M- contexts is denoted by 
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Example 3. For instance, Ax.(!(!§x+1)) is a valid 7W-context, but Ax.(!x+x+§x) 
and Ax.O are not. 

Any .M-context / is monotonic in its argument, that is if p < q, then f(p) < f{q) 
and if p < q, then f(p) < f(q). 

3.2 Orthogonality 

Usually, orthogonality is defined between a program and an environment. Here, 
it defined between a weighted program and a weighted environment. 

Definition 6. — A weighted term is a tuple (M,p) where M is a closed term 
and p an element of M ■ The set of weighted terms is denoted by Am . 
— A weighted stack is a pair (E, e) where E is a closed stack and e an element 
of A4[.]. The set of weighted stacks is denoted by TLm- 

We choose a pole _1L C Conf x M as the set of bounded-time terminating weighted 
configurations: 

± = {((M,E,S),p) | (M,E,S) V An< \\p\\} 

In orthogonality-based models, fixing a pole, also called observable, corresponds 
to choose a notion of correct computation. 

Proposition 2. This pole satisfies some important properties: 

1. (<- saturation) If ((M, E, S),p) G 1L and p < q then ((M,E,S),q) £ 1L. 

2. (^-saturation) If ((M, E, S),p) G 1L and (M',E,S') (M,E,S) then 
((M',E',S'),p+l)G±. 

The pole induces a notion of orthogonality. In contrast with usual models, since 
we need to deal with references, the orthogonality relation is parametrized by a 
set S of stores. 

Definition 7. The orthogonality relation ±$ C Am x IIm is defined as: 

(M,p)± s (E, e) iff V(5, s) G S, «M, E, S),e(p + s)) G JL 

This orthogonality relation lifts to sets of weighted terms and weighted stacks. If 
X C A M (resp X C TI M ), 

X ±s = { (E,e) G TI M | V(M,p) G X, (M,p)± s (E,e) } 
(resp. X ±s = { (M,p) G A M \ V(E,e) G X, (M,p)± s (E,e) } ) 
The operation (.) ±s satisfies the usual orthogonality properties. 
Lemma 1. Suppose X, Y C Am or X, Y C IIm '■ 
1. X CY implies Y ±s C X ±s 
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2. X C 

3 x _Ls " Ls ^ ,s = 

Definition 8. If X is a set of weighted realizers, we define its <-closure X = 
{(M,p)\3q<p,(M,q)eX}. 

Remark 2. Notice that for any S, we have X C X ±sJ - s . 

We say that a set X C Am is a 5-behavior if X = Finally, we can 

define the set of S-reducibility candidates. To do that, we first need to extend 
the language of terms with a new constant 

M ::= | * 

This constant comes with no particular reduction rule. It can be seen as a special 
variable considered as a closed term and is in a sense the dual of the empty stack. 



Definition 9. The set of 5-reducibility candidates, denoted by CRg is the set 

of S -behaviors X such that (>B, 0) € X C {(o,x M> x)} ±s 

Remark 3. If (M,p) G X where X is a <S- reducibility candidate and if (o, 0) G 5, 
then (M, o, o) terminates in at most \\p\\ steps. In fact our notion of reducibility 
candidate extends the usual notion in the non-quantitative case. 

Finally, suppose R is a set of regions and suppose Sr is a set of stores whose 
domain is restricted to a R. We say that : 

Sr E S' S' contains S R and if (5, s) e S' and if wc write S = S 5 W S", 
then there is a decomposition s = s' + s" such that (S , s') £ Sr and moreover, 
if (Sr, sr) g 5 fl then (5" W S R , s" + s R ) e S' . 

Remark 4- This quite involved definition will permit to the interpretation of a 
type to enjoy properties similar to the one called extension/restriction in pQ. In 
other words, given a store, it gives a way to say what substore can be removed 
safely and what stores can be added to it safely. 



3.3 Interpretation of A^l* 

Using the orthogonality machinery previously defined, we can give an interpreta- 
tion of Alal^ tyP es as reducibility candidates. Suppose R is the following region 
context: 

R = n: (*i,§Ai),...,r T , : (<5„,§A n ) 

We define three indexed sets: the interpretation \R\$ of the region context R, the 
pre-interpretation \\R h A\\g of a type A and its interpretation \R h A\f with 
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respect to a set of stores <S. These three notions are defined by mutual induction, 
first on the index 5, and then on the size of the type A. 

\R\=s = { (S, E W I dom ( s ) = {n\n-. {Si, §A,) E R A Si = s } 

A Vr • G rfom(S) ,S(n) = {§!?, §V?, ■■ ■ , W& } 
A VjG [l,fci],(V?,gj) epil-^lk-i } 

|i?| m - { (S, s) | 3(5i, «i) G |i?U+i, 3(S«, ««) G S = S 1 VS 5 As = s 1 + §s 5 } 

For convenience, we start the indexing of the interpretation at —1 instead of 0. 

\\R\-AU = mo)} 

For S > 0, wc define the pre-interpretation as: 

p2hN|| 4 = { (n,0) n G N } 
||flr-Unit|| 4 = {((),0)} 
||i?hReg r A||, = {(r,0)} 

||i?h = { (As.M.p) | V(V,«) G ||i2hi4|| 5 ,V5,|ii|5E5,(M[V/a;],p + w) G |i2 h B|f } 

ll-R I- §-4|U = { (§V.§«) I (V,v)e\\RhA\\ s _ 1 } 
\\R\-\A\\ s = {(\V,lv) | (V,«) G \\RhA\U-! } 
\\R\- f iX.A\\ 8 = \\R\-A\ M X.A/X]\\ s 

The interpretation of a type with respect to a set S is just defined as the bi- 
orthogonal of the pre-interpretation: 

\R h A\f = \\R h A\\f s±s 

Remark 5. Because of the presence of type fixpoints and regions, there are sev- 
eral circularities that could appear in the definition of \\R h A\\g. Yet, the inter- 
pretation is well defined for the following reasons: 

— The type fixpoints fiX.A wc consider are such that every occurrence of X 
in A is guarded by a modality ! or §. But these modalities make the index 
of the interpretation decrease by one. Hence, \\R h /iX.A||,5 + i is well defined 
as soon as \\R h /iJf.j4||j is. 

— To define \\R h ^4|| 5+1 , we need |i?| 4 +i to be already defined. But here again, 
in R each type is guarded by a modality §. This implies that to define 

we only need to know each \\R h Ai\\$. 

An important point is that the interpretation of a formula A with respect to a 
region context R and to an index S G N is a |i?| 4 -reducibility candidate (it will 
be used to prove bounded-time termination). 

Proposition 3. For all S G N we have \R h A\ l s Rls G CR^. 

This is to prove the inductive case of the arrow — o that the use of the constant 
>J< is mandatory. Indeed it is used in the proof to reduce under the As. 
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3.4 Adequacy and bounded-time termination 



\- s x : \- s r : \- s () : 

mt — antn get- 



h d n:0 h d Vi * V 2 : [V] + [V 2 ] h a get(r) : 5 

^ V : [V] , ,. ^M:[M] h 4 M : [M] 

set — fold : unfold - 



\- s+1 set(r, §V) : §[1/] + 1 h 4 M : [M] h 4 M : [M] 

i:!,y:!|- s M:[M] h 4 M 



2 : ! h 4 M[z/x, z/j/] : [M] + 1 x : 5 h 4 M : [M] 

h 4 M : [M] h 4 Mj : [MJ h s M 2 : [M 2 ] 



lam app 



h a Az.M : [M] h MiM 2 : [Mi] + [M 2 ] + 3 

h 4 M : [M] H 5 V : [VI r h 5 M : 

-P rom , g+1 — ~ , §-ehm- 



|M:§[M]+4 h 4 let§z = V in M : [M] + [V] + 3 

h 4 M : [M] h 4 V : [V] fh'M: [M] 

!-elim- 



- 4+1 !M : F([M]) h 4 let !x = V in M : [MJ + [V] + 3 

Table 1. Inferring a bound from a A^£ M typing judgment 



We now prove the soundness of our model with respect to and as a corol- 

lary the bounded-time termination theorem. 

In Table [1] is described how to infer an element of A4 from a A^fi^ typing 
judgment: the notation [M] corresponds to the element of M. already inferred 
from the typing judgment of [A/], and each rule corresponds to the way [MJ is 
built. 

Definition 10. We use the notations V , p and y to denote respectively a list 
of values [Vi, . . . , V n ], a list [pi, . . . , p n ] of elements of M. and a list of variables 
[yi, ■ ■ ■ j J/n]- If M is a term, we denote by M[V/y] the term M[Vi/yi, . . . , V n /y n ]- 
Ifp is a list of elements of M. and f G {!,§}, we denote by \p the list [fpi, . . . , \p n \- 
We also define ^p to be the sum J2i<i< n Pi- 

If A is a type then we define XA as A itself. Suppose r — xi : (e 1; Ai), . . . , x n : 
(e n ,A n ). Then the notation (V \p) lh 5 r stands for (Wi,pj) G \\R h e^^Ha for 
1 < i < n with Wi — Vi \i ei = \ and Wi — \Vi if e t = t. 

Example 4. If we have (V,p) \\- s (x t : (X,A 1 ),x 2 : (%,A 2 ),x 3 : (\,A 3 )) then V = 
[Vi,V 2 ,M 3 ] and J5 = [pi,§p 2 ,bs] such that (V llPl ) G \\R h ^i|| 4 , (§V 2 ,§p 2 ) G 
||i?h§A 2 || 5 and (!V 3 ,!p 3 ) G ||iZ h \A 3 \\ S . 
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Theorem 2 (Adequacy). Suppose that R; T h s M : C. Let (V,p) lh 5 f, T/ien, 
/or any 5 such that \R\$ C 5, 

(M[F/x],lMl + ^p)e|i?hC|f 

Moreover, if M is a value, then we have (M\V/x], [ill] + G \\R ^ C\\s- 

Before giving the proof of Theorem [5J let's begin by an essential remark about 
the definition of the interpretation of a region context R. 

Remark 6. Let |i2|<s+i Q R' ■ If (S,s) G R' , it can be uniquely written (S- s l±J 
S= 5+1 W S r , §s 5 + s m + s r ) where (S^ 5 , a,) G \R\ S , (S 5+1 ,s s+1 ) G |i?| =5+ i and 
dom(S r ) Q { Ti \ Si > S + 1 }. Hence, if we form the set R' s = { (S, s) \ (S, §s + 
s 5+ i + s r ) G R' A (S^ 5 , s) G } is such that C 

We also need two intermediate lemmas. The first one is about the promotion 
rule for §. 

Lemma 2 (Promotion). Suppose that for any S such that \R\$ C S, (M,m) G 
\R h A\g holds. Then for any S such that E S, we have (§Af, §m + 4) G 

l^l-§^lf+i- 

Froo/. Take 5 such that |iJ| J+1 C 5, (£, e) G (|Pt h §A|f +1 ) ±s and (5', s') G S. 

We have s' = §s,5 + s with (S'- S , s$) G |-R|a (see Remark[6]). We want to show 
that ((!M, 2?, 5"), e(§m + 4 + s')) G JL. By anti-reduction and <-saturation (by 
monoidality of §), it suffices to show ((M, §.E, S'), e(§(m + S5) + s + 3)) G JL. 
We pose S' = { (S,s) | (S,§s + s ) G 5 A (S- s , s) G }■ Since C 5', and 

(S", s 5 ) G S', it is sufficient to prove (§.E, \x.e{§x + 3 + s )) G (|i? h A|f ') ±s ' = 
\\R h . So let (V, t>) G \\R h A||,5 and (5, s) G 5'. We know that (§V, §«) G 

\\R h §A|| m . Moreover, (5, §s + s ) G 5. Since (£,e) G h §A\\j* v we have 
({§V,E,S),e(§v + §s + s )) G JL. So by ^-saturation, ((V,§.E,S),e(§v + 1 + 
§s + s )) G JL. Hence, by distributivity of §, we obtain ((V, §.e, S), e(§(v + s) + 
2 + 1 + so)) G JL. 

The proof of this last lemma is very important, since it justifies many design 
choices of our model. 

— Its proof crucially relies on the fact that in the definition of the region context 
interpretation each value is guarded by a modality § and not by a 
modality !. Indeed, it requires the monoidality property, which is true for § 
but not for !: Vp, q G Ad, §(p + q) < §p + §q. 

— It also relies on the fact that we can consider any set of store iS such that 
\R\s E S, which is also built-in in our interpretation of the linear arrow — o. 

— It also justifies the fact that we need to consider .A/f-contexts, which are not 
only of the form since in this proof we use functions of the form 
x ^? $x + p. 
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We also prove a commutation lemma, which is needed when one wants to use 
biorthogonality in presence of call- by- value and modalities like ! or §. 

Lemma 3 (Commutation). Suppose that\/(V,p) G X,(M[V/x],q + p) G Y. 
Then for every S, we have V(V,p) G (M[V/x],q +p + 2) G Y ±s±s . 

Proof. The proof mainly uses the property of — ^--saturation and of — ^-closure. 
Here are a series of implications. 

V(V,p) G X, (M[V/x],q+p) G Y 
=>V(V,p) G X,V(E,e) G F X5 ,V(S,s) G 5, «M[V/a:], £, S), e(g + p + s)) G JL 

V( V, p) G X, V(£, e) G y Xs , V(5, s) G 5, 

((V,(Xx.M)&E,S),e(q+p + s + 2)) G JL 

V(-E, e) G F ±s , ((Ax. M ) E, Xx.e(q + x + s + 2)) G X ±s 

W{E, e) G F ±s , ((Ax.M) i£, Xx.e(q + x + s + 2)) G X ±s±s±s 
=> V(V,p) G AT ±s±s ,V(£,e) G F ±s ,V(S,s) G 5, 

((V,(Aa;.M)©£;,S'),e(g+p+s + 2)) G JL 
=>V(V,p) G jr- L "- La ,V(J5,e) G F ±s ,V(5,s) g 5, 

((M[Vyx],£,S),e(g + p + s + 2)) G JL 
=>V(V,p) G X- Lsis ,(M[l//a;],g+p + 2) G F ±s±s 



We can now prove Theorem [2] 

Proof. This theorem is proved by induction on the typing judgment. When we 
consider a value, we only prove the second statement, since it implies the first 
(by the properties of biorthogonality) . 

(v) This case is immediate by substitution, 
(r), (u), (int) and (arith) These two cases are trivial, by definition of \\R h U n it 1 1 5 and 
\\R^Reg r A\\ 5 . 
(w) This case is just an application of <-saturation. 
(fold), (unfold) The two fixpoint rules are easy, since we have \\R h /itX-ylH^ = \\R h 
A[nX.A/X}\\ s . 
(lam) If the last rule used is the introduction of A: 

R; r, y : (A, A) h 4 N : B 



R;T P Xy.N : A -o B 



We take (V,p) Ih 5 T. We denote by N' = JV[F/3c] andp' = £p". By induction 
hypothesis we know that for every iS such that \R\g C S and every (V', v') G 
||i? h (N'[V'/x], IN'} +p' + v 1 ) G \R h B|f . That means exactly that 
(Ax.iV', [AsJV] + p') G |i? h A — o B|| a where \Xx.N\ = \N\. 
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(app) Here, to simplify the presentation, we suppose the contexts are empty (it 
does not change the argument). 

R- H 5 M : A -o B R;^ s N : A 
R; MN : B 

Take <S such that \R\s E S. By induction hypothesis we have 

(M, [M]) G \R h A -o P|f 
(TV, [TV]) G |P h A|f 

Take (P, e) G (|P h P|f ) ±s and (5, s) G S. We want to show that 

{(MN,E,S),e(lMNj + s)) G 1L 

where [MTV] = [M] + [JV] + 3. But (MN, E, S) ->{N,MQ E, S). Then, it 
suffices to show (M0£,Ai.e([Ml+2 + i)) G \\Rh A\\ s ±s . Take (Va,va) € 
\\R h j4||5 and (S", s') G 5. Now we have to prove 

{V A ,M © E, S\ e([Af] + + 2 + s')) G X 

But (Va, M © P, S') -)■ (M, Va • P, S"), so by -^-saturation we only have to 
prove (V A - E,S', Xx.e{x + v A + l)) G || i? I— A — o B\\j- S . Let {Xx.P,p) G ||Ph 
A -o B|| 4 and (S 1 , a) G |ii| 4 . We have (Arr.P, Va • E, S) -> (P[Vk/a:],£7, S). 
But since (P[V^/a;],p + i>a) G |P h P|f , we have 

«P[VaM E, S),e(p + v A + s))eJL 

Hence, we conclude that (V A ■ E, \x.e(x + v A + 1)) G \\R h A -o i?^ 5 by 
^-saturation, 
(st) In this case, we have the following typing rule 

r : (S, §C) G P 
fi;fh M V : C 

P;P H 5 set(r,§y) : Unit 

Here, it is safe to consider that P = since V is closed (the case P ^ is 
recovered from the case P = by <-saturation). Let S such that \R\g C S, 
(P, e) G ||P h UnitHl 3 and (S, s) G «S. We want to prove 

«set(r, §F), P, 5), e(§[Vl + 1 + a)) G JL 
But we have (S, s + §[V]]) G S so 

((*, P, 5 W{r^§I/}),e( S + §[!/]) GiL 
Hence by — ^-saturation and monotonicity of e, we obtain the result. 
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(get) We now justify the get typing rule, which says that if (r : (5, §A) £ R, then 

R; h s get(r) : §A 

Let S be such that \R\ S C S, (E, e) £ \\R h §A\\j s and (S, s) £ S. So consider 
one possible decomposition S = S' tt) {r — > §F}, then we can decompose 
s = s' + §sy with (V,s v ) £ \R h Alf^ for any 5' such that C 5'. 

We then have 

<0e*(r),£,S}->(§V,E,S'> 
Moreover, by Lemma H (§V, §sy + 4) G |i? h !A|f and (5', s') £ S. Hence, 

((W,E,S'),e(§s v +4+s')) £1 

Hence, by — ^-saturation ({get(r),E, S), e(5+s)). We conclude that (get(r), 5) € 

(c) We want to justify the contraction rule 

fl;r,y : (!,A),z : (!, A) M M : B 



R;r,y:(l,A) h d M[y/z]:B 



We take (W,p) Ih 5 r. We denote by W = M[W/x] and p' = £p. Let 5 such 
that \R\s Q S. We take (V, v) £ \\R h A||<5_i. By induction hypothesis we 
have (M'[V/y,V/z], \M\+p' + \v + \v) e\R\- B\f. Since \\\p+\p\\ < \\\p + 2\\ 
for any p £ M, we conclude that (M'[y/z\ [V/y], [M] +p / + !«) G |i? h i?|^<S. 
The case where M' is a value is similar, 
prom) The ! promotion rule is as follows. 

R;x : (A, A) H 5 " 1 V : B 
R;x : (\,A) \- 5 IV : IB 

Let (V',p) G \\R h A||,5_i. We know by induction that there is some q such 
thatg< [F]+pwith (V[V'/x],q) G \\R h We then have immediately 

that 

(l^^'/xU^GphlBlU 

and so 



(!y[^/z],!(^]+ p ))G llEr-ISHa 

But, since ||!([V] +p)|| < + JpJJ by Pr operty [5] Hence, by <- 

saturation, ((!V)[V'/aj], F([M]) + \p) £ \\R\-\B\\ S . 
prom) Here, suppose the the rule is written 

R; Xl : (A,Ai),...,x„ : (A, A n ) h^ 1 M : C 
R;x x : (§, Ai), . . . , x n : (§,A n ) h 5 §M : §C 

Let's take (V$,i>i) G \\R h -A^i-i for 1 < i < n and G ||i? h Bj||,5-i 

for 1 < j < A:. We know by induction hypothesis that for any S such that 
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\R\s-i E S, we have (M[Vi/ Xi , W 3 /y 3 ], [M] + J2 iPi + £\ qj ) e \R h Cf^. 
Take 5' such that C <S'. Hence, by Lemma [21 

(PfM/s,, §([M] + + J2 Qi) + 4 ) e \R I- §C|f 

» i 

But, by Property! we have ||§([M] + £ 4 K + Ej <7i)ll < ll§M + E* §ft + 
J2j *<lj\\- We can conclude 

WWi/xi, W./y,}, [§MJ + ^ § Pl + ^ !^) e |i?h §C|f 

elim) The rule is as follows (where the variables respectively associated to the 
contexts r\, A\, F\,A\, -T§ and Z\§ are noted x, x',y, y', z, z'). 

R;r^ s V:]B R;A,x h y.(§,B)h s M:C 
R; r, A h s let §.x § = V in M : C 

We take (7r,p) IH 5 r and (Va,F) lh<5 A - We pose 

V = V^r/x] 

Pv = E? 

M' = M[V A /x'\ 

pm = Ep' 

Let's take S such that \R\s C 5. Then, by induction hypothesis, we know 
iba.ti£($W,§pw)e\\R\-%B\\s, 

(M'[W/x % ], [Ml +pa/ + §Pw) G |i2 h C|f 

By — ^--saturation (by considering a context), we obtain that for any (§W^ §pvk) G 

i- 

(let §x § = %W in M', [M] + 1 + p M + §Pw) G |iJ h C|f 

But we also know by induction hypothesis that (V, [V]] G \R h §B|f . 

Hence, by Lemma [3l since |i? h C|f = h §C||^ S±S , we obtain 

(let §a; § = V' in M', [M] + [F] + 3 + Pv +p M ) G \R h C|f 

elim) This case is completely similar to the previous case, except we have to replace 
every mention of § by !. 

As a corollary of the adequacy theorem, we obtain the announced bounded-time 
termination theorem for A L ^* programs. 

Proof (Termination theorem (Theorem^). This theorem is proved using ade- 
quacy together with Property |3J Indeed, we know that (M, o, o) terminates in 
at most ||[M]|| steps. But it is easy to see that only the promotion rules for § 
and ! make the value of ||VaZM|| increases significantly: the degree of the third 
component of [M] (which is a polynomial) is bounded by a function of the depth 
of M. A similar argument is made more precise in for instance. 



XIX 



4 Related Work 

Approximation modality — In a scries of two papers, Nakano intro- 
duced a normalizing intuitionistic type system that features recursive types, 
which are guarded by a modality • (the approximation modality). Nakano also 
defines an indexed realizability semantics for this type system. The modality § 
plays in our work almost the same role as •: it makes the index increase. We 
claim that when we forget the quantitative part of our model, we obtain a model 
for a language with guarded references, that can be extended to handle control 
operators, based on a fragment of Nakano's type system: the only difference is 
that the • modality does not enjoy digging anymore (in presence of control op- 
erators, this principle would break normalization). 

Stratified semantics for light logics — Several semantics for the " light" 
logics have been proposed, beginning with fibered phase models [16| . a truth- 
value semantics for LLL. We can also mention stratified coherent spaces [4]. 
These two models are indexed, like ours, but while the indexing is used to achieve 
completeness with respect to the logic, we use it to interpret fixpoints and ref- 
erences. 

Reactive programming — In [18], Krishnaswami & al. have proposed a 
type system for a discrete-time reactive programming language that bounds the 
size of the data flow graph produced by programs. It is based on linear types 
and a Nakano-style approximation modality, thus bounding space consumption 
and allowing recursive definitions at the same time. They provide a denotational 
semantics based on both ultrametric semantics and length spaces. These lat- 
ter, introduced by Hofmann [8] constitute the starting point of the quantitative 
realizability presented here. 

5 Research directions 

We see several possible directions we plan to explore. 

Control operators — Since we use a biorthogonality-based model, it 
is natural to extend the language with control operators. Adding the call-cc 
operator can be done, but it requires to add a modality type ? for duplicable 
contexts. This involves some technical subtleties in the quantitative part, like 
the symmetrization of the notion of .M-contexts. Indeed, in our framework, a 
.A/f-context can be used to promote a weight associated to a term, but with this 
new ? type, a weight associated to a term would need to be able to promote a 
weight associated to a stack. 

Multithreading — In the original work of Amadio and Madet [13], the 
language features regions but also multithreading. It is possible to add it to 
^lal* but so far, it seems difficult to adapt the quantitative framework for this 
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extension. It may be possible to adapt the notion of saturated store presented in 
PP, but with a boundedness requirement on it. We plan to explore this direction 
in the future. 
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